search

jm33-m0 / emp3r0r

Linux/Windows post-exploitation framework made by linux user
https://infosec.exchange/@jm33
MIT License
1.24k stars 235 forks source link

Agent cannot read config data after manual UPX compression #248

Closed winezer0 closed 7 months ago

winezer0 commented 10 months ago

Describe the bug

My version v1.31.5,

The generated agent program cannot run properly after upx compression

To Reproduce

Steps to reproduce the behavior:

  1. Generated agent program
  2. runn program error !!!

Expected behavior

Screenshots

amd64 bug

# uname -a
Linux 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 2013 x86_64 x86_64 x86_64 GNU/Linux

# chmod +x ./aba64.zipx
# VERBOSE=true  ./aba64.zipx
2023/08/30 17:18:27.863881 main.go:71: emp3r0r agent has started
2023/08/30 17:18:27.907266 proc.go:193: GetChildren: open /proc/147753/task/147753/children: no such file or directory
2023/08/30 17:18:27.907309 main.go:139: Hiding PIDs: open /proc/147753/task/147753/children: no such file or directory
2023/08/30 17:18:27.907328 main.go:156: Error removing agent file from disk: remove [kworker/11:: no such file or directory
2023/08/30 17:18:27.907344 mem.go:61: Read 0 bytes from process executable
2023/08/30 17:18:27.907349 mem.go:17: Extract data from executable: open /proc/147753/exe: no such file or directory
2023/08/30 17:18:27.926969 mem_linux.go:46: c000400000-c004000000 ---p 00000000 00:00 0: not readable
2023/08/30 17:18:28.015378 mem_linux.go:46: 7f4eddc88000-7f4eee201000 ---p 00000000 00:00 0: not readable
2023/08/30 17:18:28.015419 mem_linux.go:46: 7f4eee202000-7f4f000b1000 ---p 00000000 00:00 0: not readable
2023/08/30 17:18:28.015430 mem_linux.go:46: 7f4f000b2000-7f4f02487000 ---p 00000000 00:00 0: not readable
2023/08/30 17:18:28.015439 mem_linux.go:46: 7f4f02488000-7f4f02901000 ---p 00000000 00:00 0: not readable
2023/08/30 17:18:28.015452 mem_linux.go:46: 7f4f02902000-7f4f02981000 ---p 00000000 00:00 0: not readable
2023/08/30 17:18:28.015603 mem_linux.go:58: ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]                                                                          : failed to parse start
2023/08/30 17:18:28.015610 mem_linux.go:62: ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]                                                                          : failed to parse end
2023/08/30 17:18:28.015615 mem_linux.go:70: ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]                                                                          : nothing read
2023/08/30 17:18:28.015636 mem.go:73: Trying magic string 000000000000000000000000000000000000000000000000000000000000000000000                                                                          000 (36 bytes)
2023/08/30 17:18:28.048026 mem.go:108: Nothing in memory region 0 (8675328 bytes): Digged nothing from 8675328 of given data
2023/08/30 17:18:28.048055 mem.go:73: Trying magic string 000000000000000000000000000000000000000000000000000000000000000000000                                                                          000 (36 bytes)
2023/08/30 17:18:28.077864 mem.go:91: Now we have magic string 0000000000000000000000000000000000000000000000000000000000000000                                                                          00000000 (36 bytes)
2023/08/30 17:18:28.077892 mem.go:23: Found 33 bytes in memory
panic: crypto/cipher: input not full blocks

goroutine 1 [running]:
crypto/cipher.(*cbcDecrypter).CryptBlocks(0xf2d000?, {0xc000f349b2?, 0xc000f349a2?, 0x10?}, {0xc000f349b2?, 0x45147e?, 0x20?})
        /opt/hostedtoolcache/go/1.20.7/x64/src/crypto/cipher/cbc.go:145 +0x44b
github.com/jm33-m0/emp3r0r/core/lib/tun.AESDecryptRaw({0xc00030c0c0?, 0xc00030c0a0?, 0x20?}, {0xc000f349a2, 0x21, 0x21})
        /home/runner/work/emp3r0r/emp3r0r/core/lib/tun/aes.go:70 +0xf8
github.com/jm33-m0/emp3r0r/core/lib/agent.ApplyRuntimeConfig()
        /home/runner/work/emp3r0r/emp3r0r/core/lib/agent/config.go:24 +0xf8
main.main()
        /home/runner/work/emp3r0r/emp3r0r/core/cmd/agent/main.go:161 +0xbbc
#

image

Files with random names are generated: image

I suspect a upx error, but it won't work with the updated version: image

Errors are also reported in the i386 environment: image

(root:/usr/local/web/www) $ VERBOSE=true ./agent
2023/08/28 13:01:30.471390 main.go:71: emp3r0r agent has started
2023/08/28 13:01:30.472169 proc.go:193: GetChildren: open /proc/22360/task/22360/children: no such file or directory
2023/08/28 13:01:30.472309 main.go:139: Hiding PIDs: open /proc/22360/task/22360/children: no such file or directory
2023/08/28 13:01:30.472430 main.go:156: Error removing agent file from disk: remove [kworke: no such file or directory
2023/08/28 13:01:30.472582 mem.go:61: Read 0 bytes from process executable
2023/08/28 13:01:30.472658 mem.go:17: Extract data from executable: open /proc/22360/exe: no such file or directory
2023/08/28 13:01:30.583765 mem_linux.go:46: 0b400000-2b400000 ---p 0b400000 00:00 0: not readable
2023/08/28 13:01:30.586895 mem_linux.go:46: af8d6000-b7ee6000 ---p af8d6000 00:00 0: not readable
2023/08/28 13:01:30.589412 mem.go:73: Trying magic string 000000000000000000000000000000000000000000000000000000000000000000000000 (36 bytes)
2023/08/28 13:01:30.973277 mem.go:108: Nothing in memory region 0 (7917568 bytes): Digged nothing from 7917568 of given data
2023/08/28 13:01:30.973432 mem.go:73: Trying magic string 000000000000000000000000000000000000000000000000000000000000000000000000 (36 bytes)
2023/08/28 13:01:31.324532 mem.go:91: Now we have magic string 000000000000000000000000000000000000000000000000000000000000000000000000 (36 bytes)
2023/08/28 13:01:31.324692 mem.go:23: Found 15708 bytes in memory
panic: crypto/cipher: input not full blocks
goroutine 1 [running]:
crypto/cipher.(*cbcDecrypter).CryptBlocks(0xb05c3c0, {0xbb472a2, 0x3d4c, 0x3d4c}, {0xbb472a2, 0x3d4c, 0x3d4c})
    /opt/hostedtoolcache/go/1.20.7/x64/src/crypto/cipher/cbc.go:145 +0x399
github.com/jm33-m0/emp3r0r/core/lib/tun.AESDecryptRaw({0xb0ba040, 0x20, 0x20}, {0xbb47292, 0x3d5c, 0x3d5c})
    /home/runner/work/emp3r0r/emp3r0r/core/lib/tun/aes.go:70 +0x127
github.com/jm33-m0/emp3r0r/core/lib/agent.ApplyRuntimeConfig()
    /home/runner/work/emp3r0r/emp3r0r/core/lib/agent/config.go:24 +0x15a
main.main()
    /home/runner/work/emp3r0r/emp3r0r/core/cmd/agent/main.go:161 +0xe08
(root:/usr/local/web/www/diagnostics) $ uname -a
Linux Firewall 2.6.29.1 #3 SMP Thu Aug 26 10:26:55 CST 2010 i686 unknown

Your environment

emp3r0r.json

I suggest that you format your JSON with an online JSON formatter, for example https://codebeautify.org/jsonviewer

[root@www ~]# cat /root/.emp3r0r/emp3r0r.json {"cc_port":"56303","autoproxy_port":"32651","autoproxy_timeout":10,"http_listner_port":"24278","shadowsocks_password":"nijwOgauoiKcRGtoWGGP","shadowsocks_port":"44886","kcp_port":"65151","use_shadowsocks":false,"use_kcp":false,"ssh_proxy_port":"32652","sshd_port":"58602","broadcast_port":"57501","broadcast_interval_min":30,"broadcast_interval_max":0,"pid_file":"/tmp/ssh-xRqsFteTmHMMaa/OafBCnYcqHoTJaGY","cc_indicator":"","indicator_wait_min":30,"indicator_wait_max":0,"indicator_text":"","c2transport_proxy":"","cdn_proxy":"","doh_server":"","socket":"/tmp/ssh-xRqsFteTmHMMaa/wHVeAZmEqvRFMpnP","agent_root":"/tmp/ssh-xRqsFteTmHMMaa","utils_path":"/tmp/ssh-xRqsFteTmHMMaa/ATqkGwpTrAXO","agent_uuid":"362c657c-3c28-4889-a4eb-dceb1c52aa84","agent_tag":"","timeout":12175}[

CC

Linux distro name and version, use cat /etc/*release* to view, paste the result below

# cat /etc/*release*
[root@www ~]#  cat /etc/*release*
CentOS Linux release 7.5.1804 (Core)
Derived from Red Hat Enterprise Linux 7.5 (Source)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

CentOS Linux release 7.5.1804 (Core)
CentOS Linux release 7.5.1804 (Core)
cpe:/o:centos:centos:7

The run panel dies after the uncompressed version goes live:

(It may not be the agent's fault, because the restart panel found that the agent did not drop the line)

image

rpanic: runtime error: integer divide by zeroB1-63DC63CDCF62   
goroutine 40 [running]:      
github.com/bettercap/readline.(*opCompleter).getMatrixSize(...)                          
        /home/runner/go/pkg/mod/github.com/bettercap/readline@v0.0.0-20210228151553-655e4
8bcb7bf/complete.go:177                                                                  
github.com/bettercap/readline.(*opCompleter).HandleCompleteSelect(0xc0000ca540, 0x1be1e0?)                                                                                        
        /home/runner/go/pkg/mod/github.com/bettercap/readline@v0.0.0-20210228151553-655e4
8bcb7bf/complete.go:147 +0x493                                                           
github.com/bettercap/readline.(*Operation).ioloop(0xc0000ca3f0)                          
        /home/runner/go/pkg/mod/github.com/bettercap/readline@v0.0.0-20210228151553-655e4
8bcb7bf/operation.go:138 +0xff                                                           
created by github.com/bettercap/readline.NewOperation                                    
        /home/runner/go/pkg/mod/github.com/bettercap/readline@v0.0.0-20210228151553-655e4
8bcb7bf/operation.go:88 +0x325                                                           
Pane is dead (status 2, Wed Aug 30 19:09:27 2023

C2 Transport

OS

Additional context

jm33-m0 commented 10 months ago

If you wish to use upx, please install it before gen_agent, agent builder will automatically take care of compression and config data encryption so you won't be greeted with such error.

jm33-m0 commented 10 months ago

The root cause of this issue is how emp3r0r decrypts config data from the executable file. In earlier versions I was using a fixed pattern to locate encrypted config data no matter where it resides in the memory, it worked without issue. Then I made the pattern dynamic, previous mechanism stopped working, therefore you can't make change to the executable otherwise it won't be able to read its config data.

jm33-m0 commented 10 months ago

I will improve this part to make it more flexible.

winezer0 commented 10 months ago

There are two cases here: the first one is packed automatically generated by the gen_agent command, and the second one is packed manually by me, neither of which can be executed normally

jm33-m0 commented 10 months ago

Both samples failed to read config data, since they report magic string as 0. I think it's the same reason somehow.

The run panel dies after the uncompressed version goes live:

Your input somehow crashed readline module, which is maintained by third-party. I will look into it and hopefully we will get a reliable way to trigger the crash. By the way I suspect that it has something to do with your terminal (MobaXterm I think?)

winezer0 commented 10 months ago

your terminal (MobaXterm I think?)

YES, My terminal is MobaXterm, but, previous versions did not indicate this error.

jm33-m0 commented 10 months ago

Here's how it crashed:

https://github.com/bettercap/readline/blob/655e48bcb7bfa86c1485215bbf84289521a2f5ac/complete.go#L176-L182

I am sure there will be more divided by zero crashes in this module as it's barely maintained.

winezer0 commented 10 months ago

Here's how it crashed:

https://github.com/bettercap/readline/blob/655e48bcb7bfa86c1485215bbf84289521a2f5ac/complete.go#L176-L182

I am sure there will be more divided by zero crashes in this module as it's barely maintained.

Well, this is indeed the cause of the panel's death, and I hope you can fix it

I am waiting for your update on the above two bug

jm33-m0 commented 10 months ago

@winezer0 Why did you close the issue? Is it resolved?

jm33-m0 commented 10 months ago

I have two issues here to address:

winezer0 commented 10 months ago

I have two issues here to address:

  • [ ] Improve the way config data is embedded in agent binary so it can be properly read no matter how you pack the binary (as long as it still runs).

sorry, I updated upx , Now the agent is running normally and I think the work of the change was too much, so I shut it down Of course, I will reserve these questions if you have time to deal with them

  • [ ] You need to provide a stable way of reproducing the crash in readline so I can report and resolve it in upstream repo.

The problem is not that big, as long as the agent doesn't drop out

github-actions[bot] commented 8 months ago

Stale issue message